Detects COM object hijacking via TreatAs subkey

Read More

Detects registry keys related to NetWire RAT

Read More

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Read More

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

Read More

Detects when an attacker registers a new AMSI provider in order to achieve persistence

Read More

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

Read More

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.

Read More

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

Read More